Supply Chain Attacks and Response

David Seidman

November 2018

On October 4, 2018, Bloomberg Businessweek reported that Chinese spies had surreptitiously implanted microchips as small as a “sharpened pencil tip” on server motherboards sold by Supermicro, an American company whose customers included Apple and Amazon. Businessweek alleged that the spies had forced domestic subcontractors to install the chips before the processed components were shipped to other global assemblers. The alleged incursion then created a backdoor for the Chinese to access sensitive information from the end users.

Both Apple and Amazon denied that the hack had occurred. The Department of Homeland Security and the United Kingdom’s National Cyber Security Centre sided with the companies, saying they “have no reason to doubt the statements from the companies.”

Bloomberg stood by their reporting and doubled down on the original allegations in a follow-up piece. The back and forth highlights an increasing public awareness of the prevalence and risk factors associated with global supply chain vulnerabilities. An awareness that is certain to increase along with debates about the appropriate role of Chinese manufacturing. The stakes are high. Supermicro’s stock price plummeted by 53% the day after the Bloomberg story was released. Amazon’s efforts to build a secure cloud storage system for the CIA is also implicated in the security breach.

By some estimates, China makes 75% of the world’s mobile phones and 90% of its personal computers. Ironically, Edward Snowden’s disclosures about America’s successful hardware hacks of Chinese servers may have led to China accelerating a campaign of self-reliance that resulted in quotas on foreign-made products, greater requirements of tech transfers for market access, and an increased concentration of Chinese server manufacturing. Detecting supply chain vulnerabilities is difficult. Analysts are often forced to rely on analog signals—such as changes in a device’s power consumption to detect changes because no uniform set of detection tools exists. The final changes are also incredibly subtle, security experts have discovered that finished computer parts have identical metal parts, instead of the original plastic parts, necessary to diffuse heat from hidden chips.

Manufacturing alternatives appear limited. For example, European and Japanese telephone equipment brands also heavily rely on Chinese supply chains. Some experts have suggested a “small yard and a high fence” approach, ceding attempts to defend most products and focusing on building local, secure supply chains for items that cannot be compromised like the cellphones of “Senators and admirals.” The National Security Agency currently alters the President’s cell phone to decrease vulnerabilities.

Supply chain hacks highlight the often overlooked physical nature of the digital world that users interface with and the servers, mobile phones, and computers that connect to it.

The answer to reducing hacks might be the same—the need to apply traditional law enforcement and international norms to bad actors in cyberspace. There is increasing evidence that the United States is aggressively following the latter approach. In the last few weeks, the United States successfully extradited an alleged Chinese spy to face trial in Cincinnati for obtaining and emailing trade secrets from GE Aviation.

A forthcoming book from a former Assistant Attorney General reveals that the United States was able to, at least temporarily, force the Chinese to stop stealing American trade secrets by extraditing a Chinese spy in Canada. The United States alleged that Su Bin, an aviation consultant in Canada, was at another intersection of the digital and analog worlds, using his specialized knowledge and personal relationships to direct Chinese military hackers to specific firms and then reviewing the stolen files for relevant information. In Bin’s case, Chinese hackers were able to successfully target American manufactures of the C–17, an advanced military cargo plane that cost more than $31 billion in research and development costs in the 1980’s and 90’s. And on October 10, the Treasury Department announced that it would more aggressively review foreign investments in any business that designs or produces telecom, semiconductor, and computer equipment.

The Bloomberg reporting and the contested follow-up signal an inflection point in the global awareness of policymakers and increasingly, the public, into the vulnerabilities of global supply chains. Developing strategies to ensure the integrity of global supply chains is increasingly important in an increasingly connected world.